PHP :: Bug #77683 :: Segfault possibly by strange chars

Bug #77683	Segfault possibly by strange chars
Submitted:	2019-02-28 23:56 UTC	Modified:	2019-03-07 09:32 UTC
From:	pascal dot nobus at webservice dot be	Assigned:	cmb (profile)
Status:	Wont fix	Package:	*General Issues
PHP Version:	7.1.26	OS:	Slackware 14.1
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.

php.net Username: php.net Password:

Quick Fix:	(description)
	Block user comment
Status:		Assign to:
Package:
Bug Type:
Summary:
From:	pascal dot nobus at webservice dot be
New email:
PHP Version:		OS:

New/Additional Comment:

[2019-02-28 23:56 UTC] pascal dot nobus at webservice dot be

Description:
------------
After months of random Segfaults at several servers we have some good core-dumps now.

PHP is compiled as mod_php with apache-2.4.38. Nginx is running as front-proxy.
# apachectl -t -D DUMP_MODULES
Loaded Modules:
 core_module (static)
 so_module (static)
 http_module (static)
 mpm_event_module (static)
 authn_file_module (shared)
 authn_core_module (shared)
 authz_host_module (shared)
 authz_groupfile_module (shared)
 authz_user_module (shared)
 authz_core_module (shared)
 access_compat_module (shared)
 auth_basic_module (shared)
 socache_shmcb_module (shared)
 reqtimeout_module (shared)
 filter_module (shared)
 deflate_module (shared)
 mime_module (shared)
 log_config_module (shared)
 logio_module (shared)
 env_module (shared)
 expires_module (shared)
 headers_module (shared)
 setenvif_module (shared)
 version_module (shared)
 ssl_module (shared)
 unixd_module (shared)
 status_module (shared)
 autoindex_module (shared)
 cgid_module (shared)
 negotiation_module (shared)
 dir_module (shared)
 alias_module (shared)
 rewrite_module (shared)
 php7_module (shared)

# /usr/local/bin/php -m
[PHP Modules]
bcmath
Core
ctype
curl
date
dom
exif
fileinfo
filter
ftp
gd
hash
iconv
intl
json
libxml
mbstring
mcrypt
mysqli
mysqlnd
openssl
pcre
PDO
pdo_mysql
pdo_sqlite
Phar
posix
Reflection
session
SimpleXML
soap
SPL
sqlite3
standard
tokenizer
xml
xmlreader
xmlwriter
xsl
Zend OPcache
zip
zlib

[Zend Modules]
Zend OPcache

Opcache is turned of in php.ini (I thought the problem was there)

At nginx I have this in the logs:
120.92.10.210 - - [28/Feb/2019:22:56:54 +0100] "GET /index.php?s=/index/%5Cthink%5Capp/invokefunction&function=call_user_func_array&vars[0]=file_put_contents&vars[1][]=yulxsads.php&vars[1][]=%3C?php%20print(md5(222));$a=str_replace(%22vbnm%22,%22%22,%22asvbnmsert%22);@$a($_POST[qazw]);?%3E HTTP/1.1" 200 7757 "-" "python-requests/2.21.0" "-"

(note: I tested this URL myself but no crash)


At the same time a core was dumped:
Core was generated by `/usr/local/apache2/bin/httpd -k start'.
Program terminated with signal 11, Segmentation fault.
#0  0x00007f6db5a8d88d in getenv () from /lib64/libc.so.6
(gdb) bt full
#0  0x00007f6db5a8d88d in getenv () from /lib64/libc.so.6
No symbol table info available.
#1  0x00007f6db5a80d76 in setlocale () from /lib64/libc.so.6
No symbol table info available.
#2  0x00007f6db12e5de0 in zif_setlocale (execute_data=<optimized out>, return_value=0x7f6d9bfec640)
    at /usr/local/src/php-7.1.26/ext/standard/string.c:4454
        args = 0x7f6d824186e0
        plocale = <optimized out>
        loc = 0x7f6d824fbde0
        retval = <optimized out>
        cat = 6
        num_args = 1
        i = 0
        idx = 0
#3  0x00007f6db14652bd in ZEND_DO_FCALL_BY_NAME_SPEC_RETVAL_UNUSED_HANDLER () at /usr/local/src/php-7.1.26/Zend/zend_vm_execute.h:797
        retval = {value = {lval = 140108313494368, dval = 6.9222704394322764e-310, counted = 0x7f6d82418360, str = 0x7f6d82418360, 
            arr = 0x7f6d82418360, obj = 0x7f6d82418360, res = 0x7f6d82418360, ref = 0x7f6d82418360, ast = 0x7f6d82418360, zv = 0x7f6d82418360, 
            ptr = 0x7f6d82418360, ce = 0x7f6d82418360, func = 0x7f6d82418360, ww = {w1 = 2185331552, w2 = 32621}}, u1 = {v = {type = 1 '\001', 
              type_flags = 0 '\000', const_flags = 0 '\000', reserved = 0 '\000'}, type_info = 1}, u2 = {next = 32621, cache_slot = 32621, 
            lineno = 32621, num_args = 32621, fe_pos = 32621, fe_iter_idx = 32621, access_flags = 32621, property_guard = 32621, extra = 32621}}
        call = 0x7f6d82418680
        fbc = 0x7f6d64028850
        ret = 0x7f6d9bfec640
#4  0x00007f6db140bee3 in execute_ex (ex=<optimized out>) at /usr/local/src/php-7.1.26/Zend/zend_vm_execute.h:429
        orig_opline = 0x7f6d82475000
        orig_execute_data = 0x7f6d8245c0a0
#5  0x00007f6db14684fb in zend_execute (op_array=<optimized out>, return_value=<optimized out>) at /usr/local/src/php-7.1.26/Zend/zend_vm_execute.h:474
No locals.
#6  0x00007f6db13c1a67 in zend_execute_scripts (type=type@entry=8, retval=retval@entry=0x0, file_count=file_count@entry=3)
    at /usr/local/src/php-7.1.26/Zend/zend.c:1482
        files = {{gp_offset = 40, fp_offset = 32621, overflow_arg_area = 0x7f6d9bfec790, reg_save_area = 0x7f6d9bfec720}}
        i = 1
        file_handle = 0x7f6d9bfee9f0
        op_array = 0x7f6d8252a520
#7  0x00007f6db1351ea0 in php_execute_script (primary_file=primary_file@entry=0x7f6d9bfee9f0) at /usr/local/src/php-7.1.26/main/main.c:2577
        realfile = "�/!dm\177\000\000\000\060!dm\177\000\000\210,\020\\m\177\000\000\000\000\000\000\000\000\000\000\200\003\000\000\000\000\000\000\005\021��m\177\000\000�\000\t\002\000\000\000\000\030��\233m\177\000\000�,\020\\m\177\000\000\210,\020\\\002\000\000\000\001\000\000\000\000\000\000\000\020��\233m\177\000\000\000\000\000\002\000\000\000\000\210,\020\\m\177\000\000\000\000\000\000\000\000\000\000���\233m\177\000\000\000\000\000\000\000\000\000\000K\231\211�m\177", '\000' <repeats 202 times>...
        __orig_bailout = 0x7f6d9bfeea60
        __bailout = {{__jmpbuf = {140108745337440, 8649366419897889551, 34144464, 0, 140108745341376, 0, 8649366420503966479, 8649424189837325071}, 
            __mask_was_saved = 0, __saved_mask = {__val = {0, 0, 0, 0, 0, 0, 140107808060111, 140107808060112, 13, 140107808060288, 140109176240366, 0, 
                140107808060099, 140107808060256, 140107808060274, 8}}}}
        prepend_file_p = 0x0
        append_file_p = 0x0
        prepend_file = {handle = {fd = 0, fp = 0x0, stream = {handle = 0x0, isatty = 0, mmap = {len = 0, pos = 0, map = 0x0, buf = 0x0, 
                old_handle = 0x0, old_closer = 0x0}, reader = 0x0, fsizer = 0x0, closer = 0x0}}, filename = 0x0, opened_path = 0x0, 
          type = ZEND_HANDLE_FILENAME, free_filename = 0 '\000'}
        append_file = {handle = {fd = 0, fp = 0x0, stream = {handle = 0x0, isatty = 0, mmap = {len = 0, pos = 0, map = 0x0, buf = 0x0, 
                old_handle = 0x0, old_closer = 0x0}, reader = 0x0, fsizer = 0x0, closer = 0x0}}, filename = 0x0, opened_path = 0x0, 
          type = ZEND_HANDLE_FILENAME, free_filename = 0 '\000'}
        old_cwd = 0x7f6d9bfec790 "/"
        retval = 0
#8  0x00007f6db146aaba in php_handler (r=<optimized out>) at /usr/local/src/php-7.1.26/sapi/apache2handler/sapi_apache2.c:712
        zfd = {handle = {fd = -2109300736, fp = 0x7f6d8246a000, stream = {handle = 0x7f6d8246a000, isatty = 0, mmap = {len = 549, pos = 0, map = 0x0, 
                buf = 0x7f6db8816000 <Address 0x7f6db8816000 out of bounds>, old_handle = 0x0, old_closer = 0x0}, 
              reader = 0x7f6db136b8e0 <_php_stream_read>, fsizer = 0x7f6db134ecb0 <php_zend_stream_fsizer>, 
              closer = 0x7f6db134ec90 <php_zend_stream_mmap_closer>}}, filename = 0x7f6d38042ef0 "/host/user_A/public/index.php", 
          opened_path = 0x0, type = ZEND_HANDLE_MAPPED, free_filename = 0 '\000'}
        __orig_bailout = 0x0
        __bailout = {{__jmpbuf = {140107067957248, 8649366419855946511, 34144464, 0, 140108745341376, 0, 8649366419895792399, 8649424347934274319}, 
            __mask_was_saved = 0, __saved_mask = {__val = {140108611289768, 0, 140109118180451, 140108745337648, 140107067957248, 140107067957688, 
                140109122460671, 140108879639336, 140107067957248, 0, 140107067957248, 140108745337648, 140109135431297, 140107067962456, 
                140109111812294, 34144464}}}}
        ctx = 0x7f6d38043488
        conf = <optimized out>
        brigade = 0x7f6d4c004198
        bucket = <optimized out>
        rv = <optimized out>
        parent_req = 0x0
#9  0x000000000045e8c5 in ap_run_handler ()
No symbol table info available.
#10 0x000000000045f3e5 in ap_invoke_handler ()
No symbol table info available.
#11 0x000000000047f0a3 in ap_internal_redirect ()
No symbol table info available.
#12 0x00007f6db1d6e162 in handler_redirect () from /usr/local/apache2/modules/mod_rewrite.so
No symbol table info available.
#13 0x000000000045e8c5 in ap_run_handler ()
No symbol table info available.
#14 0x000000000045f3e5 in ap_invoke_handler ()
No symbol table info available.
#15 0x000000000047deeb in ap_process_async_request ()
No symbol table info available.
#16 0x00000000004797f5 in ap_process_http_async_connection ()
No symbol table info available.
#17 0x0000000000479a0d in ap_process_http_connection ()
No symbol table info available.
#18 0x000000000046d43c in ap_run_process_connection ()
No symbol table info available.
#19 0x0000000000488e32 in process_socket ()
No symbol table info available.
#20 0x000000000048b77d in worker_thread ()
No symbol table info available.
#21 0x00007f6db6029ce2 in start_thread () from /lib64/libpthread.so.0
No symbol table info available.
#22 0x00007f6db5b4e8cd in clone () from /lib64/libc.so.6
No symbol table info available.


15 minutes later a new core was dump.
In Nginx-error-logs:
2019/02/28 23:15:18 [error] 28427#0: *50733494 upstream prematurely closed connection while reading response header from upstream, client: 193.106.30.98, server: xxxxxx.com, request: "POST /wp-sbb.php HTTP/1.1", upstream: "http://127.0.0.1:80/wp-sbb.php", host: "xxxxxx.com"

Core was generated by `/usr/local/apache2/bin/httpd -k start'.
Program terminated with signal 11, Segmentation fault.
#0  0x00007f6db5adb36a in __strchr_sse2 () from /lib64/libc.so.6
(gdb) bt full
#0  0x00007f6db5adb36a in __strchr_sse2 () from /lib64/libc.so.6
No symbol table info available.
#1  0x00007f6db5a8d8d8 in putenv () from /lib64/libc.so.6
No symbol table info available.
#2  0x00007f6db12ae782 in php_putenv_destructor (zv=<optimized out>) at /usr/local/src/php-7.1.26/ext/standard/basic_functions.c:3435
        pe = 0x7f6d34a23e20
#3  0x00007f6db13d2972 in zend_hash_destroy (ht=0x7f6ce806dd18) at /usr/local/src/php-7.1.26/Zend/zend_hash.c:1246
        p = 0x7f6d34a54f20
        end = 0x7f6d34a54f40
#4  0x00007f6db12ae8ec in zm_deactivate_basic (type=1, module_number=35) at /usr/local/src/php-7.1.26/ext/standard/basic_functions.c:3811
No locals.
#5  0x00007f6db13c830c in zend_deactivate_modules () at /usr/local/src/php-7.1.26/Zend/zend_API.c:2576
        module = <optimized out>
        p = 0x2849c70
        __orig_bailout = 0x0
        __bailout = {{__jmpbuf = {140109111745076, 8649830570995790607, 140109111745076, 0, 140108812483008, 0, 8649357619503608591, 
              8649424125633540879}, __mask_was_saved = 0, __saved_mask = {__val = {0, 0, 140109099586621, 41622448, 140105725517728, 140105725518112, 
                140109101722110, 0, 140109101750980, 140109111738420, 140109101602570, 0, 0, 0, 0, 0}}}}
#6  0x00007f6db1350b12 in php_request_shutdown (dummy=dummy@entry=0x0) at /usr/local/src/php-7.1.26/main/main.c:1876
        report_memleaks = 1 '\001'
#7  0x00007f6db146a94f in php_apache_request_dtor (r=<optimized out>) at /usr/local/src/php-7.1.26/sapi/apache2handler/sapi_apache2.c:552
No locals.
#8  php_handler (r=<optimized out>) at /usr/local/src/php-7.1.26/sapi/apache2handler/sapi_apache2.c:724
        ctx = 0x7f6d88005430
        conf = <optimized out>
        brigade = 0x7f6d88005b48
        bucket = <optimized out>
        rv = <optimized out>
        parent_req = 0x0
#9  0x000000000045e8c5 in ap_run_handler ()
No symbol table info available.
#10 0x000000000045f3e5 in ap_invoke_handler ()
No symbol table info available.
#11 0x000000000047deeb in ap_process_async_request ()
No symbol table info available.
#12 0x00000000004797f5 in ap_process_http_async_connection ()
No symbol table info available.
#13 0x0000000000479a0d in ap_process_http_connection ()
No symbol table info available.
#14 0x000000000046d43c in ap_run_process_connection ()
No symbol table info available.
#15 0x0000000000488e32 in process_socket ()
No symbol table info available.
#16 0x000000000048b77d in worker_thread ()
No symbol table info available.
#17 0x00007f6db6029ce2 in start_thread () from /lib64/libpthread.so.0
No symbol table info available.
#18 0x00007f6db5b4e8cd in clone () from /lib64/libc.so.6
No 

Core was generated by `/usr/local/apache2/bin/httpd -k start'.
Program terminated with signal 11, Segmentation fault.
#0  0x00007f6db5adb36a in __strchr_sse2 () from /lib64/libc.so.6
(gdb) bt full
#0  0x00007f6db5adb36a in __strchr_sse2 () from /lib64/libc.so.6
No symbol table info available.
#1  0x00007f6db5a8d8d8 in putenv () from /lib64/libc.so.6
No symbol table info available.
#2  0x00007f6db12ae782 in php_putenv_destructor (zv=<optimized out>) at /usr/local/src/php-7.1.26/ext/standard/basic_functions.c:3435
        pe = 0x7f6d34a23e20
#3  0x00007f6db13d2972 in zend_hash_destroy (ht=0x7f6ce806dd18) at /usr/local/src/php-7.1.26/Zend/zend_hash.c:1246
        p = 0x7f6d34a54f20
        end = 0x7f6d34a54f40
#4  0x00007f6db12ae8ec in zm_deactivate_basic (type=1, module_number=35) at /usr/local/src/php-7.1.26/ext/standard/basic_functions.c:3811
No locals.
#5  0x00007f6db13c830c in zend_deactivate_modules () at /usr/local/src/php-7.1.26/Zend/zend_API.c:2576
        module = <optimized out>
        p = 0x2849c70
        __orig_bailout = 0x0
        __bailout = {{__jmpbuf = {140109111745076, 8649830570995790607, 140109111745076, 0, 140108812483008, 0, 8649357619503608591, 
              8649424125633540879}, __mask_was_saved = 0, __saved_mask = {__val = {0, 0, 140109099586621, 41622448, 140105725517728, 140105725518112, 
                140109101722110, 0, 140109101750980, 140109111738420, 140109101602570, 0, 0, 0, 0, 0}}}}
#6  0x00007f6db1350b12 in php_request_shutdown (dummy=dummy@entry=0x0) at /usr/local/src/php-7.1.26/main/main.c:1876
        report_memleaks = 1 '\001'
#7  0x00007f6db146a94f in php_apache_request_dtor (r=<optimized out>) at /usr/local/src/php-7.1.26/sapi/apache2handler/sapi_apache2.c:552
No locals.
#8  php_handler (r=<optimized out>) at /usr/local/src/php-7.1.26/sapi/apache2handler/sapi_apache2.c:724
        ctx = 0x7f6d88005430
        conf = <optimized out>
        brigade = 0x7f6d88005b48
        bucket = <optimized out>
        rv = <optimized out>
        parent_req = 0x0
#9  0x000000000045e8c5 in ap_run_handler ()
No symbol table info available.
#10 0x000000000045f3e5 in ap_invoke_handler ()
No symbol table info available.
#11 0x000000000047deeb in ap_process_async_request ()
No symbol table info available.
#12 0x00000000004797f5 in ap_process_http_async_connection ()
No symbol table info available.
#13 0x0000000000479a0d in ap_process_http_connection ()
No symbol table info available.
#14 0x000000000046d43c in ap_run_process_connection ()
No symbol table info available.
#15 0x0000000000488e32 in process_socket ()
No symbol table info available.
#16 0x000000000048b77d in worker_thread ()
No symbol table info available.
#17 0x00007f6db6029ce2 in start_thread () from /lib64/libpthread.so.0
No symbol table info available.
#18 0x00007f6db5b4e8cd in clone () from /lib64/libc.so.6
No symbol table info available.



Another 5 minutes later again a core dump.
Possible entry in Nginx
178.116.29.152 - - [28/Feb/2019:23:20:29 +0100] "GET / HTTP/1.1" 502 173 "https://www.google.be/" "Mozilla/5.0 (iPad; CPU OS 12_1_4 like Mac OS X) AppleW
ebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1" "-"

#0  0x00007f6db5b8bb47 in __strncmp_sse42 () from /lib64/libc.so.6
No symbol table info available.
#1  0x00007f6db12af58e in zif_putenv (execute_data=<optimized out>, return_value=0x7f6d9eff2730)
    at /usr/local/src/php-7.1.26/ext/standard/basic_functions.c:4178
        setting = 0x7f6d829f19a8 "MAGICK_THREAD_LIMIT=1"
        setting_len = 21
        p = 0x7f6d423e0a4b ""
        env = 0x7f6d6c02f778
        pe = {putenv_string = 0x7f6d8b26b438 "MAGICK_THREAD_LIMIT=1", previous_value = 0x0, key = 0x7f6d423e0a38 "MAGICK_THREAD_LIMIT", key_len = 19}
#2  0x00007f6db141d50d in ZEND_DO_ICALL_SPEC_RETVAL_UNUSED_HANDLER () at /usr/local/src/php-7.1.26/Zend/zend_vm_execute.h:628
        call = 0x7f6d8b21c0a0
        fbc = 0x7f6d2000f040
        ret = 0x7f6d9eff2730
        retval = {value = {lval = 140108462407648, dval = 6.9222777967258622e-310, counted = 0x7f6d8b21bfe0, str = 0x7f6d8b21bfe0, 
            arr = 0x7f6d8b21bfe0, obj = 0x7f6d8b21bfe0, res = 0x7f6d8b21bfe0, ref = 0x7f6d8b21bfe0, ast = 0x7f6d8b21bfe0, zv = 0x7f6d8b21bfe0, 
            ptr = 0x7f6d8b21bfe0, ce = 0x7f6d8b21bfe0, func = 0x7f6d8b21bfe0, ww = {w1 = 2334244832, w2 = 32621}}, u1 = {v = {type = 1 '\001', 
              type_flags = 0 '\000', const_flags = 0 '\000', reserved = 0 '\000'}, type_info = 1}, u2 = {next = 32621, cache_slot = 32621, 
            lineno = 32621, num_args = 32621, fe_pos = 32621, fe_iter_idx = 32621, access_flags = 32621, property_guard = 32621, extra = 32621}}
#3  0x00007f6db140bee3 in execute_ex (ex=<optimized out>) at /usr/local/src/php-7.1.26/Zend/zend_vm_execute.h:429
        orig_opline = 0x7f6d8b275000
        orig_execute_data = 0x7f6d8b25c0a0
#4  0x00007f6db14684fb in zend_execute (op_array=<optimized out>, return_value=<optimized out>) at /usr/local/src/php-7.1.26/Zend/zend_vm_execute.h:474
No locals.
#5  0x00007f6db13c1a67 in zend_execute_scripts (type=type@entry=8, retval=retval@entry=0x0, file_count=file_count@entry=3)
    at /usr/local/src/php-7.1.26/Zend/zend.c:1482
        files = {{gp_offset = 40, fp_offset = 32621, overflow_arg_area = 0x7f6d9eff2880, reg_save_area = 0x7f6d9eff2810}}
        i = 1
        file_handle = 0x7f6d9eff4ae0
        op_array = 0x7f6d82b51340
#6  0x00007f6db1351ea0 in php_execute_script (primary_file=primary_file@entry=0x7f6d9eff4ae0) at /usr/local/src/php-7.1.26/main/main.c:2577
        realfile = '\000' <repeats 136 times>, "�35�m\177", '\000' <repeats 18 times>, "XD�\236m\177\000\000\001\000\000\000m\177", '\000' <repeats 18 times>, "$�\002\000\000\000\000\000"...
        __orig_bailout = 0x7f6d9eff4b50
        __bailout = {{__jmpbuf = {140108795693904, 8649359819508331279, 34144464, 0, 140108795697600, 0, 8649359816356311823, 8649424189837325071}, 
            __mask_was_saved = 0, __saved_mask = {__val = {140107741346632, 0, 140108795697600, 0, 140109190633803, 0 <repeats 11 times>}}}}
        prepend_file_p = 0x0
        append_file_p = 0x0
        prepend_file = {handle = {fd = 0, fp = 0x0, stream = {handle = 0x0, isatty = 0, mmap = {len = 0, pos = 0, map = 0x0, buf = 0x0, 
                old_handle = 0x0, old_closer = 0x0}, reader = 0x0, fsizer = 0x0, closer = 0x0}}, filename = 0x0, opened_path = 0x0, 
          type = ZEND_HANDLE_FILENAME, free_filename = 0 '\000'}
        append_file = {handle = {fd = 0, fp = 0x0, stream = {handle = 0x0, isatty = 0, mmap = {len = 0, pos = 0, map = 0x0, buf = 0x0, 
                old_handle = 0x0, old_closer = 0x0}, reader = 0x0, fsizer = 0x0, closer = 0x0}}, filename = 0x0, opened_path = 0x0, 
          type = ZEND_HANDLE_FILENAME, free_filename = 0 '\000'}
        old_cwd = 0x7f6d9eff2880 "/"
        retval = 0
#7  0x00007f6db146aaba in php_handler (r=<optimized out>) at /usr/local/src/php-7.1.26/sapi/apache2handler/sapi_apache2.c:712
        zfd = {handle = {fd = -1960402944, fp = 0x7f6d8b26a000, stream = {handle = 0x7f6d8b26a000, isatty = 0, mmap = {len = 420, pos = 0, map = 0x0, 
                buf = 0x7f6db8644000 <Address 0x7f6db8644000 out of bounds>, old_handle = 0x0, old_closer = 0x0}, 
              reader = 0x7f6db136b8e0 <_php_stream_read>, fsizer = 0x7f6db134ecb0 <php_zend_stream_fsizer>, 
              closer = 0x7f6db134ec90 <php_zend_stream_mmap_closer>}}, 
          filename = 0x7f6d7805a8b0 "/host/user_b/public/index.php", opened_path = 0x0, type = ZEND_HANDLE_MAPPED, 
          free_filename = 0 '\000'}
        __orig_bailout = 0x0
        __bailout = {{__jmpbuf = {140107738844880, 8649359819466388239, 34144464, 0, 140108795697600, 0, 8649359819506234127, 8649424347934274319}, 
            __mask_was_saved = 0, __saved_mask = {__val = {140107738844760, 0, 140109118180451, 140108795694112, 140107738844880, 0, 140109122460671, 
                34016304, 140107738844880, 0, 140107738844880, 140108141794240, 140107738844880, 140107741351528, 140109111812294, 34144464}}}}
        ctx = 0x7f6d60274e70
        conf = <optimized out>
        brigade = 0x7f6d2416c4a0
        bucket = <optimized out>
        rv = <optimized out>
        parent_req = 0x0
#8  0x000000000045e8c5 in ap_run_handler ()
No symbol table info available.
#9  0x000000000045f3e5 in ap_invoke_handler ()
No symbol table info available.
#10 0x000000000047deeb in ap_process_async_request ()
No symbol table info available.
#11 0x00000000004797f5 in ap_process_http_async_connection ()
No symbol table info available.
#12 0x0000000000479a0d in ap_process_http_connection ()
No symbol table info available.
#13 0x000000000046d43c in ap_run_process_connection ()
No symbol table info available.
#14 0x0000000000488e32 in process_socket ()
No symbol table info available.
#15 0x000000000048b77d in worker_thread ()
No symbol table info available.
#16 0x00007f6db6029ce2 in start_thread () from /lib64/libpthread.so.0
No symbol table info available.
#17 0x00007f6db5b4e8cd in clone () from /lib64/libc.so.6
No symbol table info available



Any idea how to prevent this?

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2019-03-01 03:00 UTC] danack@php.net

So.

I'm just going to make some notes.

Two bits of the stack traces have:

#0  0x00007f6db5adb36a in __strchr_sse2 () from /lib64/libc.so.6
No symbol table info available.
#1  0x00007f6db5a8d8d8 in putenv () from /lib64/libc.so.6
No symbol table info available.

And:

#0  0x00007f6db5a8d88d in getenv () from /lib64/libc.so.6
No symbol table info available.
#1  0x00007f6db5a80d76 in setlocale () from /lib64/libc.so.6

I've known setlocale is not thread safe - but apparently neither is getenv() + putenv()



From http://man7.org/linux/man-pages/man3/getenv.3.html
> Concurrently calling this function is safe, provided that the environment remains unchanged.



http://man7.org/linux/man-pages/man7/attributes.7.html under 'Other safety remarks - env'

> Functions marked with env as an MT-Safety issue access the
> environment with getenv(3) or similar, without any guards to
> ensure safety in the presence of concurrent modifications.
>
> We do not mark these functions as MT-Unsafe, however, because
> functions that modify the environment are all marked with
> const:env and regarded as unsafe.  Being unsafe, the latter
> are not to be called when multiple threads are running or
> asynchronous signals are enabled, and so the environment can
> be considered effectively constant in these contexts, which
> makes the former safe.

[2019-03-01 03:03 UTC] danack@php.net

So possibly this might be an altering the environment issue. 

One of the stacks appears to be something writing "MAGICK_THREAD_LIMIT=1" into the environment.

This can also be achieve by editing the policy.xml file that was installed by ImageMagick, that will be on your system somewhere. 

Either editing or adding an entry for thread, like:

<policy domain="resource" name="thread" value="1"/>

Can you try doing that, and seeing if that at least removes those entries from your system?

[2019-03-01 03:16 UTC] danack@php.net

Please could you also try to find what is calling setlocale and seeing if that can be disabled?

[2019-03-01 07:15 UTC] pascal dot nobus at webservice dot be

Danack:
- there is nog imagemagic on this system.
- sites are Wordpress-5.1, Wordpress-4.9.9, Drupal-8.2.6, so no special things that is calling setlocale.

It seems to me that disabling opcache helped a bit (4 Segfault in 24h, insteadoff 10-20).

Another thought that is was hardware, or the fact that apache is mpm_event (with php compiled as mod_php) was also ruled out because I see the same effect on other servers (also ones compiled with mpm_prefork).

[2019-03-01 08:28 UTC] nikic@php.net

Note that thread-safety in PHP 7.0 and 7.1 is pretty thoroughly broken. If you're running in a threaded environment, then PHP 7.2 (or newer) is needed.

[2019-03-01 08:52 UTC] pascal dot nobus at webservice dot be

The segfaults are also occurring on apache mpm-prefork, which is non-threaded

[2019-03-01 12:27 UTC] danack@php.net

>  there is nog imagemagic on this system.

Whether or not ImageMagick is on the system, something is called putenv with the string "MAGICK_THREAD_LIMIT=1". From your crash log:


#1  0x00007f6db12af58e in zif_putenv (execute_data=<optimized out>, return_value=0x7f6d9eff2730)
    at /usr/local/src/php-7.1.26/ext/standard/basic_functions.c:4178
        setting = 0x7f6d829f19a8 "MAGICK_THREAD_LIMIT=1"
        setting_len = 21
        p = 0x7f6d423e0a4b ""
        env = 0x7f6d6c02f778
        pe = {putenv_string = 0x7f6d8b26b438 "MAGICK_THREAD_LIMIT=1", previous_value = 0x0, key = 0x7f6d423e0a38 "MAGICK_THREAD_LIMIT", key_len = 19}


> so no special things that is calling setlocale.

Again, the crash log says that's exactly where one of the crashes comes from:

#1  0x00007f6db5a80d76 in setlocale () from /lib64/libc.so.6
No symbol table info available.
#2  0x00007f6db12e5de0 in zif_setlocale (execute_data=<optimized out>, return_value=0x7f6d9bfec640)


For reference, I can see that there are some setlocale calls in Drupal: https://github.com/drupal/core/blob/6864b728155310851b3919e41c0d32941c5e62ae/lib/Drupal/Core/DrupalKernel.php#L1028


It's not guaranteed to be the cause, but seeing as that is where the errors are occurring, it does seem worth the effort to track these down and try removing them to see if that fixes the problem.

[2019-03-01 16:46 UTC] pascal dot nobus at webservice dot be

I just had another crash, and yes: all is pointing now towards setlocale.
(gdb) bt full
#0 0x00007f6db5a8d88d in getenv () from /lib64/libc.so.6
No symbol table info available.
#1 0x00007f6db5a80d76 in setlocale () from /lib64/libc.so.6
No symbol table info available.

In the script that caused the crash I saw:
setlocale(LC_ALL, 'nl_NL');

Because it's impossible to scan all our websites I set setlocale in the disable_functions in php.ini.
The website that was calling this function didn't report any errors, nor an error in the php-log.

For the MAGICK_THREAD_LIMIT=1 thing:
As you can see in our modules list: no imagmagic compiled (couldn't be, as it is not on our servers).
However in the WP-plugin woocommerce I did find this call
wp-content/plugins/woocommerce/includes/class-wc-regenerate-images-request.php
@putenv( 'MAGICK_THREAD_LIMIT=1' );
Theres a reason for this: https://core.trac.wordpress.org/ticket/36534
I tried it myself with a script but no crashes.
I have no idea how to prevent these crashes, but maybe the reason for this crash lies with the earlier setlocale.
As setlocale in the php-docs say:
The locale information is maintained per process, not per thread. If you are running PHP on a multithreaded server API like IIS, HHVM or Apache on Windows, you may experience sudden changes in locale settings while a script is running, though the script itself never called setlocale(). This happens due to other scripts running in different threads of the same process at the same time, changing the process-wide locale using setlocale().

[2019-03-01 19:55 UTC] danack@php.net

I commented on that wordpress bug.

Imagick::setResourceLimit(\Imagick::RESOURCETYPE_THREAD, 1); should be safe to use, (if wrapped in a check for if Imagick exists). 

But it isn't required if the appropriate entry to one in the policy.xml anyway.

Pascal - please can you update the ticket in a few days time to say if disable the other setlocale /  putenvs eliminates the crashes?

I'm going to leave the ticket open for now, to think about it.

[2019-03-01 20:24 UTC] pascal dot nobus at webservice dot be

I will report if the problem is fixed by putting setlocale in disable_functions.

Is it possible that this has something to do with it:
7.0.0 	Support for the category parameter passed as a string has been removed. Only LC_* constants can be used as of this version. 
(the crashes came after upgrading from 5.6)


For the MAGICK_THREAD_LIMIT:
@putenv( 'MAGICK_THREAD_LIMIT=1' );
isn't safe wrapped for only Imagick.
It's in the constructor of class WC_Regenerate_Images_Request which is used for many processes (including WP_Image_Editor_GD)
And offcourse there is no policy.xml if Imagick isn't installed at all.
However I'm not certain that this crash wasn't a result of previous error with setlocale.

[2019-03-02 17:26 UTC] pascal dot nobus at webservice dot be

It seems the crashes got less, however I still got some new ones:

#0  0x00007f6db5adb36a in __strchr_sse2 () from /lib64/libc.so.6
No symbol table info available.
#1  0x00007f6db5a8d8d8 in putenv () from /lib64/libc.so.6
No symbol table info available.
#2  0x00007f6db12ae782 in php_putenv_destructor (zv=<optimized out>)
    at /usr/local/src/php-7.1.26/ext/standard/basic_functions.c:3435
        pe = 0x7f6d10e2a900


#0  0x00007f6db5b8acb8 in __strchr_sse42 () from /lib64/libc.so.6
No symbol table info available.
#1  0x00007f6db1360654 in _php_import_environment_variables (array_ptr=0x7f6d48001dd0)
    at /usr/local/src/php-7.1.26/main/php_variables.c:527
        buf = "_\000BROKEN_FILENAMES\000{m\177", '\000' <repeats 18 times>, "\220��\233m\177\000\000\060�\003Hm\177\000\000\220��\233m\177\000\000\002\000\000\000\000\000\000\000�\222\071�m\177\000\000�\201�{m\177\000\000@z�{m\177\000\000\000\000\000\000\000\000\000\000�U=�m\177\000\000@��{m\177\000\000\060��\233m\177\000"
        env = 0x7f6d44030650
        p = <optimized out>
        t = 0x7f6d9bffbb70 "_"
        alloc_size = 128
        nlen = <optimized out>
#2  0x00007f6db135fb9f in php_auto_globals_create_env (name=0x27b1c70) at /usr/local/src/php-7.1.26/main/php_variables.c:813
No locals.


#0  0x00007f6db5adb36a in __strchr_sse2 () from /lib64/libc.so.6
No symbol table info available.
#1  0x00007f6db5a8d8d8 in putenv () from /lib64/libc.so.6
No symbol table info available.
#2  0x00007f6db12ae782 in php_putenv_destructor (zv=<optimized out>)
    at /usr/local/src/php-7.1.26/ext/standard/basic_functions.c:3435
        pe = 0x7f6d00c31900


#0  0x00007f6db5adb36a in __strchr_sse2 () from /lib64/libc.so.6
No symbol table info available.
#1  0x00007f6db5a8d8d8 in putenv () from /lib64/libc.so.6
No symbol table info available.
#2  0x00007f6db12ae782 in php_putenv_destructor (zv=<optimized out>)
    at /usr/local/src/php-7.1.26/ext/standard/basic_functions.c:3435
        pe = 0x7f6d24c31b40



It seems that putenv is also causing crashing (not thread safe?)

I'm going to change the worker from mpm_event to mpm_prefork.

[2019-03-04 23:13 UTC] pascal dot nobus at webservice dot be

I had several days without any segfaults now.

So it's pretty safe to conclude that Apache MPM-event together with mod_php is causing Segfault when doing something with the enviroment or locales.

So it's not only non-thread-safe, but also causing crashes.

I have no idea that this is something that can be fixed within PHP/apache.

[2019-03-07 09:32 UTC] cmb@php.net

-Status: Open +Status: Wont fix -Assigned To: +Assigned To: cmb

[2019-03-07 09:32 UTC] cmb@php.net

Active support for PHP 7.1 ended months ago[1], so this issue will
not be fixed.  If you experience the same problems with an
actively supported PHP version, please re-open the ticket and
state the PHP version.

[1] <http://php.net/supported-versions.php>

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Sat Nov 01 10:00:02 2025 UTC